b'                             Office of the Inspector General\n\nSeptember 24, 1999\n\nJohn R. Dyer\nPrincipal Deputy Commissioner\n of Social Security\n\nActing Inspector General\n\n\nEmployee Access to Title XVI Computer Applications and Data (A-13-98-12009)\n\n\nAttached is a copy of the subject final report. The objective of our audit was to\ndetermine whether, based on job duties, employees had appropriate levels of access to\nSupplemental Security Income computer applications and data.\n\nYou may wish to comment on any further action taken or contemplated on our\nrecommendations. If you choose to offer comments, please provide them within the\nnext 60 days. If you wish to discuss the final report, please call me, or have your staff\ncontact Daniel R. Devlin, Acting Assistant Inspector General for Audit, at\n(410) 965-9700.\n\n\n\n\n                                                 James G. Huse, Jr.\n\nAttachment\n\x0c           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n\n     EMPLOYEE ACCESS TO\n     TITLE XVI COMPUTER\n    APPLICATIONS AND DATA\n\n    September 1999   A-13-98-12009\n\n\n\n\nAUDIT REPORT\n\n\x0c                     EXECUTIVE SUMMARY\n\n\nOBJECTIVE\n\nThe objective of this audit was to determine whether, based on job duties, employees\nhave appropriate levels of access to Supplemental Security Income (SSI) computer\napplications and data.\n\nBACKGROUND\n\nThere are concerns that information protection-related weaknesses subject sensitive\nSocial Security Administration (SSA) information to potential unauthorized access,\nmodification, and/or disclosure by employees. The U.S. General Accounting Office\n(GAO) reported that the SSI program has been affected by internal control\nweaknesses, complex policy issues, and insufficient management attention. For these\nreasons, GAO identified the SSI program as \xe2\x80\x9chigh-risk\xe2\x80\x9d in February 1997. Additionally,\nPricewaterhouseCoopers (PWC) (formerly Price Waterhouse), SSA\xe2\x80\x99s financial\nstatement audit contractor, recommended that the lack of controls in protecting\ninformation be reported as a material weakness in SSA\xe2\x80\x99s annual Federal Managers\xe2\x80\x99\nFinancial Integrity Act report for Fiscal Year 1997.\n\nThe SSI program, authorized by title XVI of the Social Security Act, is a needs-based\nprogram administered by SSA. The primary automated system for processing SSI\nclaims is the Modernized Supplemental Security Income Claims System (MSSICS).\nMSSICS is a mainframe-based, on-line, interactive claims system. The system allows\nfor the establishment and processing of SSI claims by accumulating data, such as\nidentification information, the disability determination decision, living arrangements,\nfinancial resources, income, and potential eligibility for other benefits. SSA controls\nemployee access to MSSICS and other production mainframe computer resources\n(i.e., data files, application and system software programs, and computer-related\nfacilities and equipment) through the use of Computer Associates-TOP SECRET, or\nsimply TOP SECRET.\n\nThe Office of Management and Budget (OMB) requires that agencies incorporate\nsecurity controls into sensitive financial management systems. One basis for assigning\nproper access is \xe2\x80\x9cleast privilege\xe2\x80\x9d which is defined as the practice of restricting a user\xe2\x80\x99s\naccess to the minimum amount necessary to perform job duties or responsibilities. One\nof TOP SECRET\xe2\x80\x99s primary mechanisms for controlling user access is through the use\n\n\n\n\n                                             i\n\x0cof profiles.1 Profiles are sets of transaction identifiers (ID) for groups of users and are\ngenerally defined and assigned according to job position. These transaction IDs permit\naccess to specific MSSICS computer screens. SSA uses two types of profiles:\nstandardized and nonstandardized. Standardized profiles are defined as profiles that\nremain fixed within the Agency. These profiles are most applicable to operational\npositions that are standardized across field locations throughout SSA.\nNonstandardized profiles are generally developed within a component for a particular\nperson, position, or team and are not standard across field locations or components\nsuch as SSA\xe2\x80\x99s Office of Systems personnel.\n\nWe reviewed all 281 standardized MSSICS profiles and identified 62 that provided\naccess to at least 1 of 8 transaction IDs that are gateway screens for sensitive data\nentry or updating functions. Of the 62 profiles, we identified 22 profiles with access\nprivileges that did not appear excessive using job descriptions as a guide. The\nremaining 40 profiles were assigned to 30,450 personal identification numbers (PIN)\nthat potentially had excessive access. We discussed with security personnel how\nthese profiles are developed, assigned, and reviewed. SSA could not readily\ndetermine the number of nonstandardized profiles because it would have required a\nmassive manual effort to produce.\n\nRESULTS OF REVIEW\n\nSTANDARDIZED TOP SECRET PROFILES PROVIDED EXCESSIVE ACCESS TO\nMSSICS\n\nOf the 62 standardized TOP SECRET profiles we reviewed, 19 (31 percent) provided\nMSSICS update capabilities in excess of those needed by SSA personnel to perform\njob duties. These 19 profiles control access for 25,330 unique and nonunique PINs.2\nOne of these profiles was assigned to over 7,500 unique PINs. As a result, employees\nusing these 25,330 PINs could inadvertently or intentionally change information on SSI\nfiles or send inaccurate data to SSI records. This condition existed for several reasons:\n(1) MSSICS software was not designed so that transaction IDs could be assigned to\nprofiles to achieve adequate segregation of high- and low-risk data entry fields on the\ncomputer screens; (2) security personnel did not change profiles as job positions\nevolved; (3) security personnel erroneously assigned improper access; and (4) SSA\xe2\x80\x99s\nSystems Security Officer (SSASSO) staff did not adequately review proposed profiles\nand did not periodically review profiles to ensure that they remained appropriate. We\ndid not determine whether any excessive transactions were executed as a result of\nexcessive access because it was not practical for us to do so. Even without testing, we\n\n1\n  TOP SECRET\xe2\x80\x99s two other types of mechanisms for controlling access (data sets and transaction\nidentifiers assigned directly to individual users rather than being assigned to profiles) were not covered\nunder the scope of this review.\n2\n  These PINs can be assigned multiple profiles. Because we counted profiles, PINs can be counted\nmore than once. PINs that are assigned more than one profile are considered nonunique, while PINs\nthat are assigned only one profile are considered unique. (See Exhibit 1 on page 3 for illustration.)\n\n\n                                                     ii\n\x0cbelieve the significant number of PINs (over 25,000) with excessive access results in\nincreased exposure to fraud, waste, and abuse in the SSI program.\n\nNONSTANDARDIZED TOP SECRET PROFILES FOR MSSICS WERE\nNOT ADEQUATELY CONTROLLED OR MANAGED\n\nSSA did not adequately control or manage employees\xe2\x80\x99 access privileges through\nnonstandardized MSSICS profiles. Nonstandardized profiles are created and\ncontrolled within a component and are not subject to review outside that component by\nSSASSO. As a result, SSA cannot determine, without a massive manual effort, the\nnumber of employees, including analysts and programmers, who may have\ninappropriate access to input or modify sensitive SSI data. We believe SSA\xe2\x80\x99s\nineffective control and management of its employees\xe2\x80\x99 access privileges continues\nbecause SSA has implemented the profiles in such a way that the readily available\nreporting and control mechanisms in TOP SECRET cannot be effectively utilized\nwithout additional programming to monitor and review the access.\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nSSA needs to strengthen security access controls for the 25,330 unique and nonunique\nPINs having excessive access. Excessive access could result in loss of data, loss of\nfunds, and the unauthorized release of personal information. This vulnerability\nincreases SSA\xe2\x80\x99s exposure to fraud in the SSI program. To establish proper security\ncontrols and effectively implement the policy of least privilege, SSA needs to restrict\nauthorized employee access. SSA also needs to improve security officers\xe2\x80\x99 monitoring\nand oversight of the granting of access throughout SSA.\n\nFINDING: STANDARDIZED TOP SECRET PROFILES PROVIDE EXCESSIVE\nACCESS TO MSSICS\n\nWe recommend that SSA:\n\n\xe2\x80\xa2\t Remove excessive or inappropriate transaction IDs from those profiles identified as\n   having excessive access (see Appendix A).\n\n\xe2\x80\xa2\t Examine the activity in the audit trail files of all PINs assigned to the profiles\n   identified in Appendix A to determine whether excessive transactions were\n   performed which may indicate fraud and refer any violations to the Office of the\n   Inspector General (OIG).\n\n\xe2\x80\xa2\t Review all other MSSICS TOP SECRET profiles and remove those transaction IDs\n   that permit inappropriate or excessive access for the assigned duties and\n   responsibilities.\n\n\n\n\n                                            iii\n\x0c\xe2\x80\xa2\t Modify MSSICS software to segregate access between high- and low-risk data entry\n   fields.\n\n\xe2\x80\xa2\t Provide improved training and guidance to security officers assigning and reviewing\n   transaction IDs to standardized TOP SECRET profiles for which they are\n   responsible. As part of this training, SSA should provide improved system flow\n   charts and functional descriptions of new transaction IDs, particularly for major\n   software releases when many new capabilities are added.\n\n\xe2\x80\xa2\t Perform periodic post-implementation reviews of profiles by security staff for proper\n   assignment of transaction IDs to profiles based on the concept of least privilege.\n\nFINDING: NONSTANDARDIZED TOP SECRET PROFILES FOR MSSICS ARE NOT\nADEQUATELY CONTROLLED OR MANAGED\n\nWe recommend that SSA:\n\n\xe2\x80\xa2   Require that SSASSO staff review and approve all access to production data.\n\n\xe2\x80\xa2\t Accelerate efforts to develop standardized profiles for all positions requiring access\n   and increase security officer review and approval of the granting and deletion of\n   nonstandardized profiles.\n\nAGENCY COMMENTS\n\nWith the exception of the following comments, SSA concurred with our\nrecommendations.\n\n\xe2\x80\xa2\t In the first recommendation, SSA did not agree that access for the Model District\n   Office (MDO) Manager profile was excessive. Instead, the Agency contends that\n   the MDO Manager profile requires access to high-risk transactions during\n   implementation weekends when software is tested before it is released to the\n   regions. To ensure that MDO Manager access is issued only for testing software\n   applications, SSA plans to review this access for implementation weekends.\n\n\xe2\x80\xa2\t In the second recommendation, SSA recognized the need to detect fraud but\n   rejected our recommendation on the basis of cost. SSA believes other processes\n   are already in place to adequately detect fraud.\n\n\xe2\x80\xa2\t SSA took exception to the sixth recommendation because it believes line management is responsible\n   for post-implementation and that security personnel are accountable for administering access control\n   policies, standards, and procedures approved by the SSASSO and/or senior management.\n\xe2\x80\xa2\t Similarly, SSA did not agree with the seventh recommendation for SSASSO staff to\n   review and approve all access to production data. While SSA agrees there is a\n   need to review and approve standardized and nonstandardized profiles, the Agency\n\n\n                                                  iv\n\x0c   does not believe this function is SSASSO\xe2\x80\x99s responsibility. Again, SSA contends\n   that this review and approval is the best performed by line management. SSA\n   believes that its planned approach for developing standardized profiles will provide\n   more effective controls over access to production data.\n\nSSA also provided two technical comments. First, the Agency is concerned that our\ndefinition of standardized profiles could imply that these profiles remain fixed. Second,\nSSA had concerns that our use of the term \xe2\x80\x9cnonunique\xe2\x80\x9d to describe PINs assigned to\nmore that one profile could give the impression that some users are assigned more\nthan one PIN. The full text of SSA\xe2\x80\x99s comments is included in Appendix B.\n\nOIG RESPONSE\n\nWe continue to support our recommendations. Based on SSA\xe2\x80\x99s comments, we have\nthe following responses.\n\n\xe2\x80\xa2\t With regard to the first recommendation, we still believe the excess access for the\n   MDO Manager profile should be removed. First, MDO Managers are not frequently\n   involved in implementation weekends. At a minimum, SSA should limit MDO\n   Manager access by using separate profiles that are only available to MDO\n   Managers during implementation weekends. Second, SSA\xe2\x80\x99s plan to audit high-risk\n   transactions during implementation weekends does not acknowledge that high-risk\n   transactions may be occurring at times other than on implementation weekends.\n\n\xe2\x80\xa2\t While we acknowledge there are costs associated with implementing the second\n   recommendation, we contend that SSA must fully use the audit trail files that were\n   created to detect fraud.\n\n\xe2\x80\xa2\t For recommendations six and seven, we still believe the role of security personnel\n   include: periodic reviews of profiles and responsibility for reviewing and approving\n   access to production data. We acknowledge that the assignment of profiles to\n   individual users is the responsibility of line management. However, both\n   recommendations refer to the assignment of transition ID\xe2\x80\x99s to profiles\xe2\x80\x94a function\n   that should be the responsibility of security personnel.\n\nWe considered SSA\xe2\x80\x99s technical comments while drafting our report. Even with the\nassistance of SSA staff, we were unable to come up with more appropriate terminology.\nWe believe the inclusion of the technical comments in the report will minimize any of\nthe reader\xe2\x80\x99s misconceptions.\n\n\n\n\n                                            v\n\x0c                              TABLE OF CONTENTS\n\n\n                                                                                                             Page\n\nEXECUTIVE SUMMARY ....................................................................................... i\n\nINTRODUCTION .................................................................................................. 1\n\nRESULTS OF REVIEW ........................................................................................ 6\n\n    STANDARDIZED TOP SECRET PROFILES PROVIDED EXCESSIVE\n    ACCESS TO MSSICS ..................................................................................... 6\n\n    NONSTANDARDIZED TOP SECRET PROFILES FOR MSSICS\n    WERE NOT ADEQUATELY CONTROLLED OR MANAGED ......................... 8\n\nCONCLUSIONS AND RECOMMENDATIONS ................................................... 10\n\n\nAPPENDICES\nAPPENDIX A - Top Secret Profiles Having Excessive Access\n\nAPPENDIX B - SSA Comments\n\nAPPENDIX C - Major Contributors to This Report\n\nAPPENDIX D - SSA Organizational Chart\n\n\x0c                            INTRODUCTION\n\n\nOBJECTIVE\n\nThe objective of this audit was to determine whether, based on job duties, employees\nhad appropriate levels of access to the Supplemental Security Income (SSI) computer\napplications and data.\n\nBACKGROUND\n\nThe Office of Management and Budget (OMB) Circular A-127, Financial Management\nSystems, requires that Federal agencies plan for and incorporate security controls into\nsensitive financial management systems. OMB Circular A-130, Management of\nFederal Information Resources, requires that agencies: (1) maintain and protect\nindividuals identifiable information and proprietary information in a manner that\nprecludes unwarranted intrusion upon personal privacy and violation of confidentiality;\n(2) ensure agency personnel are trained to safeguard information resources;\n(3) establish a level of security for all agency information systems commensurate with\nthe sensitivity of the information and the risk and magnitude of loss or harm that could\nresult from improper operation of the information system; and (4) ensure that only\nauthorized personnel have access to information systems. OMB Circular A-130 also\nrequires that agencies incorporate personnel controls, such as separation of duties,\nleast privilege, and individual accountability to ensure that adequate security is\nprovided for an agency\xe2\x80\x99s major applications. Least privilege is defined as the practice\nof restricting a user\xe2\x80\x99s access to data files, processing capabilities, or type of access\n(read, write, execute, delete) to the minimum necessary to perform his or her job. The\nSocial Security Administration (SSA) has incorporated this principle as a standard in its\nSystems Security Handbook. In fact, the Handbook states \xe2\x80\x9c. . . controlling and limiting\naccess is the first line of defense in assuring the security and integrity of Agency\nresources.\xe2\x80\x9d\n\nSSA\xe2\x80\x99s Systems Security Officer (SSASSO) staff, along with a network of regional and\nCentral Office component security staff members, have overall responsibility for\ninterpreting, developing, and implementing security policy. Security officers are\nresponsible for developing, implementing, and managing the security program within\ntheir organizations, including administration of access controls. According to the\nSystems Security Handbook, SSASSO staff provides guidance and advises security\nofficers in matters involving SSA\xe2\x80\x99s security program, establishes systems security\npolicies and procedures, and administers the Computer Associates TOP SECRET\n(TOP SECRET) profile access authorization matrix.\n\n\n\n                                            1\n\n\x0cTitle XVI Program and Applications\n\nThe SSI program, authorized by title XVI of the Social Security Act, is a needs-based\nprogram administered by SSA. SSI provides a minimum level of income to people who\nare aged, blind, disabled, and/or who have limited income and resources. During\nFiscal Year (FY) 1998, qualifying individuals could receive a maximum of $494 in\nFederal benefits per month plus medical assistance. Some States provide\nsupplementary benefits that are paid by SSA, but SSA receives reimbursement from\nthose States for the supplementary benefits it pays. In FY 1998, SSA paid out\n$30.5 billion in SSI and supplementary State benefits to more than 6.6 million\nrecipients. SSI payments are not paid from the Social Security or Medicare trust funds,\nbut from the general fund of the U.S. Department of the Treasury.\n\nThe primary automated system for processing SSI claims is the Modernized\nSupplemental Security Income Claims System (MSSICS). MSSICS is a mainframe-\nbased, on-line, interactive claims system using screens allowing for the establishment\nand adjudication of SSI claims. MSSICS accumulates claimant data, such as\nidentification information, the disability determination decision, living arrangements,\nfinancial resources, income, and potential eligibility for other benefits. SSA first\nimplemented MSSICS in 1992, with the latest major release in May 1997 to add post-\nentitlement processing capabilities.\n\nAccess Control Software\n\nSSA uses TOP SECRET, a commercial access control software package, to control\nemployee access to MSSICS and other production mainframe computer resources.\nTOP SECRET protects computer resources by identifying authorized users and\ncontrolling their access capability.\n\nTo obtain access to SSA\xe2\x80\x99s systems through TOP SECRET, an employee first submits\nForm SSA-120, Application for Access to SSA Systems, to the designated local security\nofficer. After the application is approved, it is forwarded to the appropriate regional or\ncomponent security officer, who assigns a personal identification number (PIN) and\ninitial password. The PIN is assigned as many profiles as the employee needs to\nperform his or her job duties.\n\nOne of TOP SECRET\xe2\x80\x99s primary mechanisms for controlling user access is the profile.\nProfiles contain sets of common access authorizations referred to as transaction\nidentifications (ID) for groups of users. Access authorizations allow specific data entry\ntransactions and query capabilities for each computer screen. SSA defines and\nassigns standardized profiles according to job position. SSA has developed more than\n1,700 standardized profiles to control systems access for about 127,000 unique and\nnonunique PINs assigned to these profiles.\n\n\n\n\n                                            2\n\n\x0cPINs may be assigned to more than one profile. A PIN is considered nonunique if it\nhas more than one profile assigned. Therefore, nonunique PINs are counted more\nthan once in summary totals. An illustration of unique versus nonunique PINs is shown\nin Exhibit 1.\n\n               Exhibit 1. Illustration of Unique Versus Nonunique PINs\n\n                                           No. of Profiles\n                Employee Name       PIN      Assigned        Unique/Nonunique\n                Tom                 001           2              Nonunique\n                Mary                002           3              Nonunique\n                Joe                 003           1               Unique\n                Sue                 004           2              Nonunique\n\n                                  SUMMARY PROFILE REPORT\n                           Profile     PINs Assigned No. of PINs\n                           Profile 1         001\n                                             002\n                                             004\n                                             etc.      3,000\n                           Profile 2         001\n                                             003\n                                             etc.      2,000\n                           Profile 3         002\n                                             etc.      1,000\n                           Profile 19        002\n                                             004\n                                             etc.      5,000\n                           Total PINs (All Profiles) 127,000\n\n\n\n\nWe have identified 281 of the standardized profiles assigned to 73,500 PINs providing\naccess to the MSSICS application. Standardized profiles are defined as profiles that\nare reviewed, approved, and controlled by SSASSO. These profiles are most\napplicable to operational positions, such as benefit authorizers, which are standard\nthroughout SSA\xe2\x80\x99s field locations. Nonstandardized profiles are generally defined as\nprofiles that are developed within a component for a particular person, position, or team\nand are not standard across organizations such as SSA\xe2\x80\x99s Office of Systems (OS)\npersonnel. SSA did not use standardized profiles in OS because of the diverse nature\nof duties for OS personnel. Nonstandardized profiles are not reviewed or approved by\nSSASSO, and may be custom-designed for one or more individuals.\n\nMSSICS contains nearly 400 transaction IDs. Transaction IDs permit a user to access\ndifferent computer screens, containing various data entry fields, for performing specific\nactivities such as establishing a new claim, updating post-entitlement data, providing a\npath or \xe2\x80\x9cgateway\xe2\x80\x9d to other input screens, and/or performing data queries.\nSCOPE AND METHODOLOGY\n\n                                            3\n\n\x0cWe obtained a listing and general description of the 396 MSSICS transaction IDs and\nfound 8 of the transaction IDs were most critical for processing or updating information.\nWe also obtained 281 standardized MSSICS profiles and identified 62 that provided\naccess to at least 1 of the 8 transaction IDs we identified as gateway screens. These\n62 profiles allow employees to input and update data in MSSICS.\n\nExhibit 2: Critical Transaction IDs\n\n                Transaction\n                    ID                   Description                    Purpose of Transaction ID\n    1.\t            ZA05       SSI Claims Application, Establish,     Collects application and eligibility\n                              Full/Deferred                          data.\n    2.\t            ZA15       Client Identification, Full/Deferred   Records personal identification data\n                                                                     about the claimant.\n    3.             ZJ30       Decision Input, Update\n                Records adjudicative decisions.\n    4.             ZJ95       Build Supplemental Security\n           Begins the process that builds the\n                              Record (SSR)\n                          SSR.\n    5.             ZJP3       Decision Input, Close Post-\n           Records adjudicative decisions.\n                              Entitlement Events\n\n    6.             ZM11       Person Screen Status (Establish,\n      Displays all available screens in the\n                              Update)\n                               claimant\xe2\x80\x99s path and allows selection\n                                                                     of those screens for updating.\n    7.             ZM42       Post-Entitlement Menu\n                 Allows entry to post-entitlement\n                                                                     screens.\n    8.             ZS97       Build Transaction SSR\n                 Instructs MSSICS to send completed\n                              Confirmation\n                          data to the SSR.\n\nOf the 62 profiles identified as having input and update access to MSSICS, we\nidentified 22 profiles with access privileges that did not appear excessive using job\nposition descriptions as a guide. For the remaining 40 profiles, we obtained a more\nin-depth understanding of users\xe2\x80\x99 job duties actually performed through discussions with\npersonnel within the Office of Operations and the Office of Finance, Assessment and\nManagement about the position descriptions and training requirements.\n\nThe 40 profiles control access for approximately 30,450 unique and nonunique PINs\namong the following 4 SSA offices or components:\n\n         \xe2\x80\xa2\t   Office of Quality Assistance and Performance Assessment (OQA),\n         \xe2\x80\xa2    Office of Automation Support (OAS),3\n         \xe2\x80\xa2    Office of Central Operations, and\n         \xe2\x80\xa2    SSASSO\xe2\x80\x99s office.\n\nWe also discussed with the Office of Operations the inadequacy of the MSSICS system\nto permit the segregation of high- and low-risk data entry fields. In addition, we\n\n3\n  OAS administers profiles for SSA\xe2\x80\x99s field offices, teleservice centers, area directors\xe2\x80\x99 offices, regional\noffices, and Headquarters offices.\n\n\n                                                       4\n\n\x0creviewed a typical nonstandardized profile used by SSA\xe2\x80\x99s Office of Systems\nRequirements (OSR). We also reviewed SSA\xe2\x80\x99s Modernized Systems Operations\nManual and the Systems Security Handbook to determine pertinent operating and\nsecurity policies and procedures. We discussed with security personnel in each of the\nfour offices mentioned above how profiles are developed using the system\ndocumentation of transaction IDs and how they are assigned and reviewed.\n\nWe did not determine the extent to which individuals were assigned multiple profiles;\nwhether assignment of multiple profiles provided too broad an access; or whether job\npositions had excessive functions. These issues are subject to an ongoing review by\nSSA\xe2\x80\x99s PWC. We did not determine whether individuals had executed any improper\ntransactions as a result of excessive access because it was not practical for us to do\nso.\n\nWe also planned to determine the number of employees in OS, including systems\nanalysts and programmers, who have improper access to input or modify MSSICS data.\nHowever, despite our requests, SSA did not provide a listing of nonstandardized\nprofiles with access to MSSICS data for our review, including the number of PINs\nassigned to these profiles, because of resource restraints. Although SSA did not\nprovide a list of nonstandardized profiles, it did provide an example of a typical\nnonstandardized profile for our review. In addition, we did not review the access of\nthose employees who have access assigned through datasets or transaction IDs\ndirectly.\n\nWe conducted the audit from January through May 1998 at SSA Headquarters in\nBaltimore, Maryland. The audit was performed in accordance with generally accepted\ngovernment auditing standards.\n\n\n\n\n                                           5\n\n\x0c                       RESULTS OF REVIEW\n\n\nWe found that employee access to title XVI computer applications and data using\nstandardized profiles was excessive, and the use of nonstandardized profiles is not\nadequately controlled.\n\nSTANDARDIZED TOP SECRET PROFILES PROVIDED EXCESSIVE\nACCESS TO MSSICS\n\nWe reviewed 62 standardized TOP SECRET profiles identified as having input and\nupdate access to MSSICS and found 19 (31 percent) provided employees with input\nand update capabilities in excess of those needed to perform their job duties. One of\nthese profiles controlled access for over 7,500 unique PINs. In total, the 19 profiles\ncontrolled access for 25,330 unique and nonunique PINs. Specifically, 7 of the\n19 standardized TOP SECRET profiles were assigned to approximately 18,800 PINs in\nSSA field offices and program service centers. These seven profiles provided\nexcessive access to update functions that the employees assigned to these profiles\nwere neither trained nor authorized to process. The remaining 12 of the\n19 standardized TOP SECRET profiles were assigned to over 6,500 PINs throughout\nseveral SSA components, including SSASSO staff. In these 12 instances, excessive\naccess exposed sensitive SSA data to unauthorized access, modification, and\ndisclosure by individuals who had no job-related need for this access (see Appendix A\nfor details). This data involves information related to Social Security numbers,\ndisabilities, and title XVI benefits. As a result, employees could inadvertently or\nintentionally change data and files affecting the amount of SSI benefits and recipient.\nEven though we did not determine whether any fraudulent activities occurred, the\nrepercussions of such actions could be far reaching because of the large number of\nPINs assigned to these profiles.\n\nOMB Circular A-130 requires that agencies incorporate personnel controls, including\nleast privilege, to ensure that adequate security is provided for an agency\xe2\x80\x99s major\napplications. Least privilege is the practice of restricting a user\xe2\x80\x99s access to data files,\nprocessing capabilities, or type of access to the minimum necessary to perform job\nduties. SSA\xe2\x80\x99s Rules of Behavior for Users and Managers in SSA\xe2\x80\x99s Systems Security\nHandbook also specifies systems access is to be restricted to that needed to perform\nassigned duties.\n\nSSA employees were given authority to access systems in excess of that needed to\nperform their job duties for four reasons: (1) MSSICS software was not designed so\nthat transaction IDs could be assigned to profiles to achieve adequate segregation of\nhigh- and low-risk data entry fields on the computer screens; (2) security personnel did\n\n\n                                              6\n\n\x0cnot change profiles as job positions evolved; (3) security personnel incorrectly\nassigned improper access; and (4) SSASSO did not adequately review proposed\nprofiles and did not periodically review profiles to ensure they remain appropriate.\n\n        MSSICS Software Limitations MSSICS software is not designed to allow for\nproper segregation of low- and high-risk data entry fields on the screens when\nassigning transaction IDs to profiles. SSA considers high-risk data entry fields as those\nthat allow the user to establish a new claim or process significant post-entitlement\nactions resulting in a redetermination of benefits. Low-risk data entry fields are those\nthat do not affect the amount of benefit payment or result in a redetermination review,\nsuch as direct deposit data and a change of address not resulting in a change in living\narrangements.\n\nSome positions need access to MSSICS screens containing more data entry fields than\nare needed to perform their job duties. Operations supervisors, field representatives,\ngeneralist claims representatives, and title XVI claims representatives are authorized to\nupdate high-risk data entry fields and are the only positions authorized to establish new\nclaims and fully adjudicate post-entitlement actions. However, standardized profiles for\ntitle II claims representatives, service representatives, telephone service\nrepresentatives, inquiry and expediting specialists, SPIKES, and claims recovery\ntechnical assistants include access to screens that allow these unauthorized staff to\nupdate high-risk data entry fields. Access to the high-risk data fields by these\nemployees is unavoidable because the screens they use contain both the necessary\nlow-risk fields and the unnecessary high-risk fields. MSSICS software cannot suppress\nthe high-risk data fields so that these employees are limited in their access to only the\nneeded low-risk data fields. During our audit, we found that OAS was already aware of\nthis software limitation and had submitted a request to OS to correct the problem.\nHowever, according to OAS, OS had not been able to respond to its request because\nof higher priority projects.\n\n       Profiles Were Not Changed as Job Positions Evolved Security personnel in\nOAS did not change standardized profiles as job duties for certain positions evolved\nbecause there was no specific requirement for security personnel to review and modify\nprofiles when job duties changed. It was not clear why security personnel did not\nadhere to SSA\xe2\x80\x99s Systems Security Handbook policy to ensure that excessive access\nwas not granted. Development clerks and data entry operators have access to all of\nthe transaction IDs needed to establish an initial claim and enter post-entitlement\nactions\xe2\x80\x94transactions typically reserved for claims representatives and field\nrepresentatives. According to OAS management, the necessity for those positions to\nretain such extensive access was significantly reduced or completely eliminated with\nthe implementation of SSA\xe2\x80\x99s Intelligent Workstation project. Over time, field\nrepresentatives have become able to carry out their own data entry tasks more quickly\nand efficiently using remote workstations rather than relying on development clerks and\ndata entry operators.\n\n\n\n                                            7\n\n\x0c        Improper Access Assigned Security personnel incorrectly assigned improper\naccess because of lack of guidance or inadequate understanding of the capabilities of\nthe transaction IDs involved. In OQA and SSASSO, security personnel were\ninadvertently or unknowingly assigned transaction IDs providing them the capability to\nupdate or modify certain data in the MSSICS pending file when query only access was\nall that was needed. After we discussed this with component security personnel during\nour audit, both OQA and SSASSO agreed that the standardized profiles provided\nexcessive access, and they have initiated appropriate profile changes. OAS has also\ninitiated some of the profile changes we recommended during our audit. We believe\nthese types of mistakes occurred because OSR did not provide sufficient system\nflowcharts, screen paths, and functional descriptions of transaction IDs to assist\ncomponent security officers to properly construct standardized profiles for each\nrespective component. In addition, limited training was provided on the effect the new\nsystem features have on access rights that may require modifications to existing\nprofiles. For example, for the last major release of MSSICS software, 78 new screens\nwere added. While OSR provided facsimiles of the new screens and a listing of new\ntransaction IDs to security officers at the security kickoff meeting, they did not provide\nadequate screen and transaction ID descriptions and pathing flowcharts. Descriptive\nguidance was provided for only 16 of the 78 new transaction IDs. Additionally, security\nofficers had only a short time to develop new profiles and submit them to SSASSO for\nreview.\n\n        Inadequate Review of Profiles SSASSO staff is responsible for reviewing and\napproving all new or modified standardized profiles before they are implemented and\nvalidating the access granted by the profiles. During its initial profile reviews, SSASSO\nstaff did not detect or prevent the erroneous transaction IDs from being assigned. We\ncould not determine why security personnel did not adhere to the Systems Security\nHandbook policy requiring least privilege. While not specifically required, security\npersonnel did not perform periodic reviews to ensure profiles contained appropriate\ntransaction IDs.\n\nSSA had not identified all employees with these excessive accesses nor determined\nwhether any of them had inappropriately made transactions. Without examining audit\ntrail files to determine whether individuals had used their excessive access to execute\nany improper transactions, it is impossible to determine whether fraud or abuse has\noccurred.\n\nNONSTANDARDIZED TOP SECRET PROFILES FOR MSSICS WERE NOT\nADEQUATELY CONTROLLED OR MANAGED\n\nSSA did not adequately control or manage nonstandardized profiles for employees in\nOS. Access for these employees is neither assigned through the use of standardized\nprofiles nor reviewed or approved by SSASSO. Security personnel in OS create and\nimplement these profiles independent of SSASSO oversight. We could not determine\nwhy SSASSO did not review or approve these profiles to ensure excessive access was\n\n\n                                            8\n\n\x0cnot granted as required by the Systems Security Handbook. As a result, there was no\noversight to ensure sensitive SSI information was protected from unauthorized access,\nmodification, and disclosure. Excessive access allows employees to inadvertently or\nintentionally update information on the MSSICS pending file and the SSR.\nUnauthorized changes or modifications to these SSI records could result in a change in\na claimant\xe2\x80\x99s eligibility and benefit amount.\n\nAlthough SSA could not readily provide a listing of nonstandardized profiles for our\nreview, it did provide an example of a typical nonstandardized profile for an\nundetermined number of systems analysts in OSR. We found these analysts could\ninput or change data associated with two of the eight sensitive transaction IDs, as\ndescribed in the Scope and Methodology section of this report.\n\nAs stated earlier, OMB Circular A-130 requires that agencies incorporate personnel\ncontrols to ensure that adequate security is provided for an agency\xe2\x80\x99s major\napplications. According to SSA\xe2\x80\x99s Systems Security Handbook, security officers are\nresponsible for developing, implementing, and managing security within their offices.\nTheir responsibilities include administering, monitoring, and assessing compliance of\naccess controls.\n\nWe believe SSA\xe2\x80\x99s ineffective control and management of its employees\xe2\x80\x99 access\nprivileges continues because SSA has implemented the profiles in such a way that the\nreadily available reporting and control mechanisms in TOP SECRET cannot be\neffectively utilized without additional programming to monitor and review the access.\nDuring our audit, one security officer stated that nonstandardized profiles were\nextremely difficult to administer because each employee\xe2\x80\x99s access had to be\nadministered individually. For this reason, we support SSA\xe2\x80\x99s initiative to move toward\neliminating nonstandardized profiles and replacing them with standardized profiles.\n\nWe acknowledge that SSA has taken some preliminary steps toward classifying and\ndeveloping standardized profiles for employees in OS, which make up the majority of\nnonstandardized users. OS established a workgroup in November 1997 to address\nthese access issues. As of April 1999, the workgroup had made some progress toward\ndeveloping and implementing standardized profiles for users having access to on-line\nproduction systems. SSA anticipates Phase I of this project will be completed by\nDecember 31, 1999. However, as of the date of this audit, only 12 of an estimated\n125 profiles had been completed, and 35 others were under development. SSA needs\nto make this project a higher priority in order to ensure its successful and timely\ncompletion.\n\n\n\n\n                                           9\n\n\x0c     CONCLUSIONS AND RECOMMENDATIONS\n\n\n\nSSA needs to strengthen security access controls for the 25,330 unique and nonunique\nPINs that have excessive access. Excessive access could result in loss of data, loss of\nfunds, and the unauthorized release of personal information. This vulnerability\nincreases SSA\xe2\x80\x99s exposure to fraud in the SSI program. In order to establish proper\nsecurity controls and effectively implement the policy of least privilege, SSA needs to\nrestrict authorized employee access to that needed to perform assigned duties. SSA\nalso needs to improve security officers\xe2\x80\x99 monitoring and oversight of the granting of\naccess throughout SSA.\n\nFINDING 1: STANDARDIZED TOP SECRET PROFILES PROVIDED EXCESSIVE\nACCESS TO MSSICS\n\nWe recommend that SSA:\n\n   1. \t Remove excessive or inappropriate transaction IDs from those profiles identified\n        as having excessive access (see Appendix A).\n\n   2. \t Examine the activity in the audit trail files of all PINs assigned to the profiles\n        identified in the Appendix to determine whether excessive transactions were\n        performed to commit fraud and refer any violations to the OIG.\n\n   3. \t Review all other MSSICS TOP SECRET profiles and remove those transaction\n        IDs that permit inappropriate or excessive access for the assigned duties and\n        responsibilities.\n\n   4. \t Modify MSSICS software to segregate access between high- and low-risk data\n        entry fields.\n\n   5. \t Provide improved training and guidance to security officers assigning and\n        reviewing transaction IDs to standardized TOP SECRET profiles for which they\n        are responsible. As part of this training, SSA should provide improved system\n        flow charts and functional descriptions of new transaction IDs, particularly for\n        major software releases when many new capabilities are added.\n\n   6. \t Perform periodic post-implementation reviews of profiles by security staff for\n        proper assignment of transaction IDs to profiles based on the concept of least\n        privilege.\n\n\n\n\n                                              10\n\n\x0cFINDING 2: NONSTANDARDIZED TOP SECRET PROFILES FOR MSSICS ARE\nNOT ADEQUATELY CONTROLLED OR MANAGED\n\nWe recommend that SSA:\n\n   7. Require that SSASSO staff review and approve all access to production data.\n\n   8. \t Accelerate its efforts to develop standardized profiles for all positions requiring\n        access and increase security officer review and approval of the granting and\n        deletion of nonstandardized profiles.\n\nAGENCY COMMENTS\n\nWith the exception of the following comments, SSA concurred with our\nrecommendations. The full text of SSA\xe2\x80\x99s comments is included in Appendix B.\n\n\xe2\x80\xa2\t In the first recommendation, SSA did not agree that access for the MDO Manager\n   profile was excessive. Instead, the Agency contends that the MDO Manager profile\n   requires access to high-risk transactions during implementation weekends when\n   software is tested before it is released to the regions. To ensure that MDO\n   Manager access is issued only for testing software applications, SSA plans to\n   review this access for implementation weekends.\n\n\xe2\x80\xa2\t In the second recommendation, SSA recognized the need to detect fraud but\n   rejected our recommendation on the basis of cost. SSA believes other processes\n   are already in place to adequately detect fraud.\n\n\xe2\x80\xa2\t SSA took exception to the sixth recommendation because it believes line\n   management is responsible for post-implementation and that security personnel are\n   accountable for administering access control policies, standards, and procedures\n   approved by the SSASSO and/or senior management.\n\n\xe2\x80\xa2\t Similarly, SSA did not agree with the seventh recommendation for SSASSO staff to\n   review and approve all access to production data. While SSA agrees there is a\n   need to review and approve standardized and nonstandardized profiles, the Agency\n   does not believe this function is SSASSO\xe2\x80\x99s responsibility. Again, SSA contends\n   that this review and approval is the best performed by line management. SSA\n   believes that its planned approach for developing standardized profiles will provide\n   more effective controls over access to production data.\n\nSSA also provided two technical comments. First, the Agency is concerned that our\ndefinition of standardized profiles could imply that these profiles remain fixed. Second,\n\n\n\n\n                                             11\n\n\x0cSSA had concerns that our use of the term \xe2\x80\x9cnonunique\xe2\x80\x9d to describe PINs assigned to\nmore that one profile could give the impression that some users are assigned more\nthan one PIN.\n\nOIG RESPONSE\n\nWe continue to support our recommendations. Based on SSA\xe2\x80\x99s comments, we have\nthe following responses.\n\n\xe2\x80\xa2\t With regard to the first recommendation, we still believe the excess access for the\n   MDO Manager profile should be removed. First, MDO Managers are not frequently\n   involved in implementation weekends. At a minimum, SSA should limit MDO\n   Manager access by using separate profiles that are only available to MDO\n   Managers during implementation weekends. Second, SSA\xe2\x80\x99s plan to audit high-risk\n   transactions during implementation weekends does not acknowledge that high-risk\n   transactions may be occurring at times other than on implementation weekends.\n\n\xe2\x80\xa2\t While we acknowledge there are costs associated with implementing the second\n   recommendation, we contend that SSA must fully use the audit trail files that were\n   created to detect fraud.\n\n\xe2\x80\xa2\t For recommendations six and seven, we still believe the role of security personnel\n   include: periodic reviews of profiles and responsibility for reviewing and approving\n   access to production data. We acknowledge that the assignment of profiles to\n   individual users is the responsibility of line management. However, both\n   recommendations refer to the assignment of transition ID\xe2\x80\x99s to profiles\xe2\x80\x94a function\n   that should be the responsibility of security personnel.\n\nWe considered SSA\xe2\x80\x99s technical comments while drafting our report. Even with the\nassistance of SSA staff, we were unable to come up with more appropriate terminology.\nWe believe the inclusion of the technical comments in the report will minimize any of\nthe reader\xe2\x80\x99s misconceptions.\n\n\n\n\n                                           12\n\n\x0cAPPENDICES\n\n\x0c                                                                         APPENDIX A\n\n\n            TOP SECRET PROFILES HAVING\n\n                 EXCESSIVE ACCESS\n\n\n The Social Security Administration\xe2\x80\x99s 12 TOP SECRET profiles identified by the Office\n of the Inspector General as having inappropriate or excessive access.\n\n                   No. of                                                  High-Risk\n                    PINs                                                Transaction IDs\n       Profile    Assigned     Component            Position              Not Needed\n1.    POI118P          1,210       OQA        General                  ZA15, ZJ30, ZJP3\n2.    POI166P             21       OQA        Regional/Local           ZA15, ZJ30, ZJP3\n                                              Security Officer\n3.    POI167P             20       OQA        Alternate Regional       ZA15, ZJ30, ZJP3\n                                              Security Officer\n4.    POI168P             29       OQA        Local Security Officer   ZA15, ZJ30, ZJP3\n5.    POI169P             18       OQA        Alternate Local          ZA15, ZJ30, ZJP3\n                                              Security Officer\n6.    POI348P              9       OQA        National Disability      ZA15, ZJ30, ZJP3\n                                              Determination Service\n                                              System Disability\n                                              Insurance Quality\n                                              Reviewer\n7.    PRO765P             10       OAS        Model District Office    ZA05, ZA15, ZJ30,\n                                              Manager                  ZJ95, ZS97\n8.    PRX015P             39       OAS        Operations Officer       ZJ95, ZM11, ZS97\n9.    PRX016P             43       OAS        Staff Assistant          ZJ95, ZM11, ZS97\n10.   PRX026P          4,252       OAS        Development Clerk        ZA05, ZA15\n11.   PRX287P           913        OAS        Data Entry Operator      ZA05, ZA15\n12.   PSS843P              3     SSASSO       Management Analyst       ZJ30\nTOTAL PINs             6,567\n\x0c                APPENDIX B\n\n\nSSA COMMENTS\n\n\x0c                                                                         APPENDIX C\n\n\n MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nOffice of the Inspector General\n\nDonald G. Franklin, Director, Systems Audits\n\n\nAlbert J. Darago, Audit Manager\n\n\nRandy J. Townsley, Auditor-in-Charge\n\n\nAnita M. McMillan, Senior Systems Auditor\n\n\n\nFor additional copies of this report, please contact the Office of Inspector General\xe2\x80\x99s\nPublic Affairs Specialist at (410) 966-5998. Refer to Common Identification Number\nA-13-98-12009.\n\x0c                       APPENDIX D\n\n\nSSA ORGANIZATIONAL CHART\n\n\x0c'